You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A few updates to security and crypto doc for
NCS 2.8.0 release. Among others:
Security page
nRF Security lib
TF-M
Trusted storage
Access port protection
Signed-off-by: Mia Koen <[email protected]>
The configuration of the :ref:`nrf_security_drivers_oberon` is automatically generated based on the user-enabled algorithms in `Key derivation function configurations`_.
Copy file name to clipboardExpand all lines: doc/nrf/libraries/security/nrf_security/doc/drivers.rst
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -83,7 +83,7 @@ To enable the :ref:`nrf_oberon_readme` PSA driver, set the :kconfig:option:`CONF
83
83
CRACEN driver
84
84
*************
85
85
86
-
The CRACEN driver provides entropy and hardware-accelerated cryptography using the CRACEN (Crypto Accelerator Engine) peripheral.
86
+
The CRACEN driver provides entropy and hardware-accelerated cryptography using the Crypto Accelerator Engine (CRACEN) peripheral.
87
87
This driver is only available on nRF54L Series devices.
88
88
89
89
Enabling the CRACEN driver
@@ -93,6 +93,8 @@ The CRACEN driver can be enabled by setting the :kconfig:option:`CONFIG_PSA_CRYP
93
93
94
94
The nrf_oberon driver may then be disabled by using the Kconfig option :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_OBERON` (``CONFIG_PSA_CRYPTO_DRIVER_OBERON=n``).
95
95
96
+
For more details on nRF54L Series cryptography operations and the related configuration, see :ref:`ug_nrf54l_cryptography`.
97
+
96
98
.. note::
97
99
On nRF54L Series devices, CRACEN is the only source of entropy.
98
100
Therefore, it is not possible to disable the :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_CRACEN` option when the Zephyr entropy driver is enabled.
Copy file name to clipboardExpand all lines: doc/nrf/libraries/security/nrf_security/index.rst
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ nRF Security
5
5
############
6
6
7
7
The nRF Security subsystem (nrf_security) provides an integration between `Mbed TLS`_ and software libraries that provide hardware-accelerated cryptographic functionality on selected Nordic Semiconductor SoCs as well as alternate software-based implementations of the Mbed TLS APIs.
8
-
These libraries include the binary versions of accelerated cryptographic libraries listed in :ref:`nrfxlib:crypto`, and the open source Mbed TLS implementation in |NCS| located in `sdk-mbedtls`_.
8
+
These libraries include the binary versions of accelerated cryptographic libraries listed in :ref:`nrfxlib:crypto`, and the open source Mbed TLS implementation in the |NCS| located in `sdk-mbedtls`_.
9
9
The subsystem includes a PSA driver abstraction layer to enable both hardware-accelerated and software-based implementation at the same time.
10
10
11
11
The nRF Security subsystem can interface with the :ref:`nrf_cc3xx_mbedcrypto_readme`.
Copy file name to clipboardExpand all lines: doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst
+13-5Lines changed: 13 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -141,14 +141,15 @@ Developing with PMICs
141
141
Security
142
142
========
143
143
144
-
Added:
144
+
* Added:
145
145
146
-
* The :kconfig:option:`CONFIG_CRACEN_IKG_SEED_KMU_SLOT` Kconfig option to allow customization of the KMU slot used to store CRACEN's Internal Key Generator (IKG) seed. The default IKG seed slot is now 183 (previously 0).
147
-
* TF-M support to the :ref:`zephyr:nrf54l15dk_nrf54l15` (board target ``nrf54l15dk/nrf54l15/cpuapp/ns``).
146
+
* The :kconfig:option:`CONFIG_CRACEN_IKG_SEED_KMU_SLOT` Kconfig option to allow customization of the KMU slot used to store CRACEN's Internal Key Generator (IKG) seed.
147
+
The default IKG seed slot is now 183 (previously 0).
148
+
* TF-M support to the :ref:`zephyr:nrf54l15dk_nrf54l15` (board target ``nrf54l15dk/nrf54l15/cpuapp/ns``).
148
149
149
-
Removed:
150
+
* Removed:
150
151
151
-
* TF-M support from the :ref:`zephyr:nrf54l15pdk_nrf54l15` (board target ``nrf54l15pdk/nrf54l15/cpuapp/ns``).
152
+
* TF-M support from the :ref:`zephyr:nrf54l15pdk_nrf54l15` (board target ``nrf54l15pdk/nrf54l15/cpuapp/ns``).
152
153
153
154
Protocols
154
155
=========
@@ -1119,6 +1120,11 @@ Other libraries
1119
1120
Security libraries
1120
1121
------------------
1121
1122
1123
+
* :ref:`nrf_security_readme` library:
1124
+
1125
+
* Added the :kconfig:option:`CONFIG_PSA_WANT_ALG_SP800_108_COUNTER_CMAC` Kconfig option to key derivation function configurations in :ref:`nrf_security_driver_config`.
1126
+
The Kconfig option enables support for the derivation function SP 800-108r1 CMAC in counter mode, which is supported by the nrf_cracen driver.
1127
+
1122
1128
* :ref:`trusted_storage_readme` library:
1123
1129
1124
1130
* Added support for Zephyr Memory Storage (ZMS), as an alternative to the NVS file system.
@@ -1269,3 +1275,5 @@ Documentation
1269
1275
* The :ref:`programming_params` section on the :ref:`programming` page with information about readback protection moved from the :ref:`ug_nrf5340_building` page.
1270
1276
* The :ref:`security` page with a table that provides an overview of the available general security features.
1271
1277
This table replaces the subpage that was previously describing these features in more detail and was duplicating information available in other sections.
1278
+
* The :ref:`nrf_security_drivers_cracen` section with a reference to the :ref:`ug_nrf54l_cryptography` page.
1279
+
* The :ref:`ug_tfm` page with the correct list of samples demonstrating TF-M.
Copy file name to clipboardExpand all lines: doc/nrf/security.rst
+3-4Lines changed: 3 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,16 +36,15 @@ Some of them are documented in detail in other parts of this documentation, whil
36
36
- All samples and applications that support the ``*/ns`` :ref:`variant <app_boards_names>` of the boards.
37
37
* - Trusted Firmware-M (TF-M)
38
38
- TF-M is the reference implementation of `Platform Security Architecture (PSA)`_.
39
-
On nRF5340 and nRF91 Series devices, TF-M is used to configure and boot an application with :ref:`CMSE enabled <app_boards_spe_nspe_cpuapp_ns>`.
39
+
On nRF5340, nRF54L and nRF91 Series devices, TF-M is used to configure and boot an application with :ref:`CMSE enabled <app_boards_spe_nspe_cpuapp_ns>`.
40
40
- See :ref:`ug_tfm`.
41
41
- | - :ref:`tfm_samples`
42
-
|- :ref:`cryptography samples <crypto_samples>`
43
-
|- :ref:`https_client` sample
44
-
|- :ref:`openthread_samples`
42
+
|- :ref:`crypto_samples`
45
43
|- :ref:`TF-M integration samples <zephyr:tfm_integration-samples>` in Zephyr
Copy file name to clipboardExpand all lines: doc/nrf/security/ap_protect.rst
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -88,7 +88,7 @@ See the related hardware documentation for more information about which implemen
88
88
- n/a
89
89
- ✔
90
90
- *Documentation not yet available*
91
-
- Can also use the lifecycle state management mechanism as an alternative to AP-Protect
91
+
- Also supports Secure AP-Protect (see note below)
92
92
* - nRF5340
93
93
- n/a
94
94
- ✔
@@ -131,7 +131,7 @@ See the related hardware documentation for more information about which implemen
131
131
-
132
132
133
133
.. note::
134
-
The SoCs or SiPs that support `ARM TrustZone`_ and different :ref:`app_boards_spe_nspe` (nRF5340 and nRF91 Series) implement two AP-Protect systems: AP-Protect and Secure AP-Protect.
134
+
The SoCs or SiPs that support `ARM TrustZone`_ and different :ref:`app_boards_spe_nspe` (nRF5340, nRF54L15 and nRF91 Series) implement two AP-Protect systems: AP-Protect and Secure AP-Protect.
135
135
While AP-Protect blocks access to all CPU registers and memories, Secure AP-Protect limits access to the CPU to only non-secure accesses.
136
136
This means that the CPU is entirely unavailable while it is running the code in the Secure Processing Environment, and only non-secure registers and address-mapped resources can be accessed.
0 commit comments